Documente Academic
Documente Profesional
Documente Cultură
technical standards
August 2009
Updated October 2014
Contents
1. Introduction
2. Definition of terms
6
7
9
11
12
13
14
17
18
19
20
21
22
23
24
24
25
26
27
28
29
30
31
31
31
31
31
32
33
34
36
36
36
36
37
37
37
38
38
38
38
38
39
Introduction
1.1
This document sets out remote and gambling software technical standards issued by the
Gambling Commission (the Commission) under section 89 and section 97 of the Gambling
Act 2005 (the Act).
1.2
This document replaces the Remote gambling and software technical standards (RTS)
June 2007.
Review of RTS
1.3
The Commission has monitored RTS since they came into force on 1 September 2007.
The Commission also carried out an initial review of RTS between October and December
2008 to determine whether there were any possible issues or changes that warranted a full
consultation.
1.4
Feedback from stakeholders indicated that the RTS remain fit for purpose and there are no
issues that required full consultation. The Commission published an information note on
this in December 2008.
1.5
In October 2013, the British Standards Institute (BSI) published an updated security
standard; ISO/IEC 27001:2013. The Commission therefore has undertaken an
assessment and produced a security requirements summary which translates the existing
requirements under ISO/IEC 27001:2005 into the new standard under ISO/IEC
27001:2013.
No further requirements have been added to this requirements summary as the existing
requirements have simply been mapped onto the new standard.
Changes to RTS
1.6
This updated RTS document does not include any changes to policy. However, the
Commission has decided to publish an updated version to document the mapped security
requirements of ISO/IEC 27001/2013 as Annex A.
1.7
The Commissions Testing strategy for compliance with the remote gambling and software
technical standards(Testing strategy)- October 2014 sets out the Commissions current
requirements for the timing and procedures for testing. Compliance with the RTS and
testing strategy is a licence condition 1.
1.9
Importantly it sets out the circumstances in which independent third party testing is
required. The relevant standards are given in chapters 3 and 4 of this document.
1.10
The Testing strategy also sets out the independent audit requirements that licence holders
should fulfil. This is based on the relevant sections of ISO/IEC 27001: 2005 which are
Condition 2.3 in Licence Conditions and Codes of Practice (LCCP), May 2014
3
summarised in chapter 5 of this document, or for those adhering to the new security
standards, the relevant sections of ISO/IEC 27001:2013 which are summarised in Annex A
of this document.
The following standards do not apply to holders of remote bingo licences when making
facilities available by means of remote communication in respect of games of bingo played
on more than one set of premises:
RTS 1
RTS 2
RTS 6
RTS 8
RTS 9
RTS 11
RTS 12
RTS 13
RTS 14
IPA 1-5
IPA 7
Gambling software
1.11
In the case of gambling software, these technical standards only apply to manufacture,
supply, installation or adaptation of software for use in connection with remote gambling
which takes place in reliance on an operating licence issued by the Commission.
Definition of terms
2.1
Game
Instant lottery
Mapping
Lottery
Lottery ticket
Non-commercial society
Peer-to-peer gambling
Progressive or progressive
jackpot
Scaling
Scaling is the process used to convert the output from a RNG into the
format required to produce a result for a particular gambling product.
To illustrate, an RNG may produce a result of between 1 and 100,000
but these possible outcomes need to be scaled to the potential game
outcomes of, for example, between 1 52 (ie to correspond to a
standard pack of cards).
Refers to the process used to determine the initial state of the RNG.
Seeding
Subscription lottery
Telephone gambling
Virtual
must make an active choice not to have the information available or to install a user-interface that
does not contain the information. The remote gambling system should continue to make available
or send the information to the customer; it should not assume that the information is not required.
d. For subscription lotteries, sending a confirmation by email or post and/or displaying the first
draw and the number of draws for which the customer will be entered is sufficient.
i.
a description of the way the game works and the way in which winners are determined
and prizes allocated;
ii. house edge (or margin);
iii. the return to player (RTP) percentage; or
iv. the probability (likelihood) of winning events occurring.
RTS implementation guidance 3C
a. The following items provide further guidance on acceptable types of information about the
likelihood of winning:
i. for types of peer-to-peer games where the likelihood of winning may depend on skill
and/or the actions of other participants, a description of the way the game works and
how winners are determined will be sufficient;
ii. for bingo, and some types of lottery or other games where it is not possible to
determine the likelihood of winning because it depends on the eventual number of
participants, a description of the way in which prizes are allocated will be sufficient.
iii. the average theoretical return to player percentage. Where an event (other than peerto-peer) involves an element of skill, return to player percentage should be calculated
using either the auto-play strategy or a standard/published strategy;
iv. the house edge, margin or over-round, for example for a virtual race;
v. the probability of each winning event occurring, or such information as may reasonably
be expected to allow the customer to calculate the probability that the event will occur.
The nature of some games may mean that the game itself provides sufficient
information, for example, the likelihood of rolling a six on a six-sided die would not
require further explanation.
b. Information may be included in artwork and text displayed within the virtual game or event, in
help or how to play pages, or other supporting material.
c. Information should be easily accessible, for example by placing links on home pages for gaming
or virtual event sections, game selection pages or menus, or within individual games.
RTS requirement 3D
For each virtual event, game (including bingo), or lottery, content describing the potential prizes
and payouts or the means by which these are calculated or determined must be easily available
before the customer commits to gamble.
RTS implementation guidance 3D
a. Information should be made available about the amounts that customers may potentially win, for
example in the form of pay-tables, or by showing the odds paid for particular outcomes.
b. For peer-to-peer games where the prize is determined based on the actions of the participants,
a description of the way the game works and the rake or commission taken will be sufficient.
c. For lotteries and other types of events where the potential amount or prize paid out may not be
known before the customer commits to gamble, describing the way in which the prize amount is
determined will be sufficient.
d. Information may be included in artwork and text displayed within the virtual event, in help or
how to play pages, or other supporting material.
e. Information should be easily accessible, for example by placing links on home pages for gaming
sections, game selection pages or menus, or within individual games.
f. Displays of jackpot amounts that change over time (progressives) should be updated as
frequently as practicable, particularly after the amount has been reset following a win.
10
11
12
13
14
RTS requirement 7B
As far as is reasonably possible, games and events must be implemented fairly and in accordance
with the rules and prevailing payouts, where applicable, as they are described to the customer.
RTS implementation guidance 7B
a. Games should implement the rules as described in the rules available to the customer before
play commenced.
b. The mapping of the random inputs to game outcomes should be in accordance with prevailing
probabilities, pay tables, etc.
c. When random numbers, scaled or otherwise, are received, e.g. following a game requesting a
sequence of random numbers, they are to be used in the order in which they are received. For
example, they may not be discarded due to adaptive behaviour.
d. Numbers or sequences of numbers are not to be discarded, unless they fall outside the
expected range of numbers required by the virtual event such an occurrence should result in an
error being logged and investigated.
RTS requirement 7C
Game designs or features that may reasonably be expected to mislead the customer about the
likelihood of particular results occurring are not permitted, including substituting losing events with
near-miss losing events and simulations of real devices that do not simulate the real probabilities
of the device.
RTS implementation guidance 7C
a. Where a virtual event simulates a physical device, the theoretical game probabilities should
match the probabilities of the real device (for example, the probability of a coin landing heads must
be 0.5 every time the coin is tossed).
b. Where multiple physical devices are simulated the probabilities of each outcome should be
independent of the other simulated devices.
c. Games may not falsely display near-miss results, that is, the event may not substitute one
losing outcome with a different losing outcome.
d. Where the event requires a pre-determined layout (for example, hidden prizes on a map), the
locations of the winning spots should not change during play, except as provided for in the rules of
the game.
e. Where games involve an element of skill, every outcome described in the virtual event rules or
artwork should be possible, that is, the customer should have some chance of achieving an
advertised outcome regardless of skill.
f. Where a customer contributes to a jackpot pool, that customer should be eligible to win the
jackpot whilst they are playing that game, in accordance with the game and jackpot rules.
RTS requirement 7D
The rules, payouts and outcome probabilities of a virtual event or game may not be changed while
it is available for gambling, except as provided for in the rules of the game, lottery or virtual event.
Such changes must be brought to customers attention.
RTS implementation guidance 7D
a. Changes to game or event rules, paytables or other parameters that change the way in which a
game, lottery, or event works, the winnings paid, or likelihood of winning (except as described in
7Dc.), should be conducted with the game or event taken offline or suspended.
15
b. Altered games, lotteries, and events should display a notice that informs customers that the
game or event has been changed, for example, rules changed, new odds, or different payouts.
The notice should be displayed on game selection screens and on the events themselves if it is
possible for the customer to go straight to the event without using a selection screen.
c. This requirement is not intended to prevent games and virtual events where specified changes
occur legitimately, in accordance with the game or event rules, for example:
i. virtual events, such as virtual racing products where the odds differ from event to event
depending on the virtual runners
ii. virtual games, such as bingo where the odds of winning are dependent on the number
of entrants
iii. games with progressive jackpots, where the amount that can be won changes over
time
iv. games with bonus rounds where different rules apply, so long as these rounds are
properly described to the customer
v. unspecified changes to rules, paytables or other parameters that change the way in
which a game, lottery or event works are not permitted, for example, rules that state
game rules may be changed at any time would not be acceptable.
RTS requirement 7E
Except in the case of subscription lotteries, the system must be designed to clearly and accurately
display the result of the game or event and the customers gamble. The result must be displayed
for a length of time that may reasonably be expected to be sufficient for the customer to
understand the result of the game or event in the context of their gamble.
RTS implementation guidance 7E
The game artwork and text should be sufficient to provide the customer with all of the information
required to determine whether they have lost or won, and the value of any winnings.
16
17
18
19
20
22
23
24
25
26
27
28
29
30
5.1
This section sets out a summary of the RTS security requirements that licence holders
must meet. The Commission has based the security requirements on the relevant sections
of Annex A to the ISO/EIC 27001: 2005 standard.
5.2
The Commissions aim in setting out the security standards is to ensure customers are not
exposed to unnecessary security risks by choosing to participate in remote gambling. The
Commission has highlighted those systems that are most critical to achieving the
Commissions aims and the security standards apply to these critical systems:
electronic systems that record, store, process, share, transmit or retrieve sensitive
customer information, eg credit/debit card details, authentication information,
customer account balances
electronic systems that generate, transmit, or process random numbers used to
determine the outcome of games or virtual events
electronic systems that store results or the current state of a customers gamble;
points of entry to and exit from the above systems (other systems that are able to
communicate directly with core critical systems)
communication networks that transmit sensitive customer information.
34
6.1
Following a recent review, the British Standards Institution has updated the standard
ISO/IEC 27001:2005 to ISO/IEC 27001:2013.
6.2
The new standard has already been released and came into force in October 2013. The
Commission is aware that operators may wish to have their security systems audited
against the new standard.
6.3
6.4
No further requirements have been added to this requirements summary as the existing
requirements have simply been mapped onto the new standard. The new security
standards under ISO/IEC 27001:2013 have been included in the Commissions Remote
gambling and software technical standards under Annex A (below).
35
This section sets out a summary of the RTS security requirements that licence holders
must meet. The Commission has based the security requirements on the relevant sections
of the ISO/EIC 27001: 2005 standard and, where appropriate, has mapped them on to the
relevant sections of the ISO/IEC 27001:2013 standard. A full copy of the British Standards
can be obtained from BSI Customer Services, 389 Chiswick High Road, London, W4 4AL.
Tel: +44 (0)845 086 9001. Email: cservices@bsigroup.com
1.2
The Commissions aim in setting out the security standards is to ensure customers are not
exposed to unnecessary security risks by choosing to participate in remote gambling. The
Commission has highlighted those systems that are most critical to achieving the
Commissions aims and the security standards apply to these critical systems:
electronic systems that record, store, process, share, transmit or retrieve sensitive
customer information, e.g. credit/debit card details, authentication information,
customer account balances
electronic systems that generate, transmit, or process random numbers used to
determine the outcome of games or virtual events
electronic systems that store results or the current state of a customers gamble;
points of entry to and exit from the above systems (other systems that are able to
communicate directly with core critical systems)
communication networks that transmit sensitive customer information.
36
37
For further information or to register your interest in the Commission please visit our website at:
www.gamblingcommission.gov.uk
Copies of this document are available in alternative formats on request.
Gambling Commission
Victoria Square House
Victoria Square
Birmingham B2 4BP
T 0121 230 6666
E info@gamblingcommission.gov.uk
ADV 14/17
39